You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Madhan Neethiraj (JIRA)" <ji...@apache.org> on 2018/03/01 01:18:01 UTC

[jira] [Created] (RANGER-1999) Policy evaluation to support multiple values for accessed resource

Madhan Neethiraj created RANGER-1999:
----------------------------------------

Summary: Policy evaluation to support multiple values for accessed resource
Key: RANGER-1999
URL: https://issues.apache.org/jira/browse/RANGER-1999
Project: Ranger
Issue Type: Improvement
Components: plugins
Reporter: Madhan Neethiraj
Assignee: Madhan Neethiraj

While evaluating access requests, Ranger policy engine picks policies based on the resource value specified in the access request. Currently access-resource abstraction only supports a single value for each resource-type - like database/table/column. Authorization of access to some resources might require the policy engine to pick policies based on multiple values for a resource.

For example, consider access authorization for an entity in Apache Atlas. An entity has a specific-type and a number of super-types - example: type=database super-types=[dataset, asset]. While authorizing access to a database entity, policies specified for its super-types, dataset and asset, should also be evaluated.

To enable such usecases, Ranger policy evaluation needs to be enhanced to support a list of value for a resource. Policies that match for any of the given values should be evaluated to determine the access result. Note that this enhancement doesn't require any updates to the policy model; the changes are needed only in the policy-engine.

--
This message was sent by Atlassian JIRA
(v7.6.3#76005)